urelas | b60e72880976381a40581a44490c9f907fb4ef75bc8527a36697f20b6d719164

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
Size

461KB
MD5

1f01035c9416593a37ef082c83ee4bbc
SHA1

4066b194b99c52dad1a54367a1b2c7d761e467f3
SHA256

b60e72880976381a40581a44490c9f907fb4ef75bc8527a36697f20b6d719164
SHA512

f48e6c1f50c8118e0c9a5ced92ebcac54baf191554fe325a4bb84b0d898ee478c09c147e1b4fa63831a1608bbcf0acfdffe3a4c09ed2001c139852a4d9668384
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFRdm7:LMpASIcWYx2U6hAJQnV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	irmeko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	poopn.exe

Executes dropped EXE 3 IoCs

pid	Process
2756	poopn.exe
4672	irmeko.exe
4244	puwop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poopn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irmeko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puwop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe
4244	puwop.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2756	4724	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	88
PID 4724 wrote to memory of 2756	4724	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	88
PID 4724 wrote to memory of 2756	4724	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	88
PID 4724 wrote to memory of 4364	4724	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	89
PID 4724 wrote to memory of 4364	4724	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	89
PID 4724 wrote to memory of 4364	4724	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	89
PID 2756 wrote to memory of 4672	2756	poopn.exe	92
PID 2756 wrote to memory of 4672	2756	poopn.exe	92
PID 2756 wrote to memory of 4672	2756	poopn.exe	92
PID 4672 wrote to memory of 4244	4672	irmeko.exe	112
PID 4672 wrote to memory of 4244	4672	irmeko.exe	112
PID 4672 wrote to memory of 4244	4672	irmeko.exe	112
PID 4672 wrote to memory of 1452	4672	irmeko.exe	113
PID 4672 wrote to memory of 1452	4672	irmeko.exe	113
PID 4672 wrote to memory of 1452	4672	irmeko.exe	113

C:\Users\Admin\AppData\Local\Temp\2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\poopn.exe
  "C:\Users\Admin\AppData\Local\Temp\poopn.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\irmeko.exe
    "C:\Users\Admin\AppData\Local\Temp\irmeko.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\puwop.exe
      "C:\Users\Admin\AppData\Local\Temp\puwop.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
4f705f9b1a23291fc228783efd55fb5a

SHA1
1e90757da21a19a6d2053a2e52a8e5569d404204

SHA256
fe677c22507f49e20e89bcad8c9232ea95bab9f272690eb14e5f3a66019a18d3

SHA512
440dc36bde4f32ee6cc4eb3d84d832f3986daed4991794c22ea2bfa8b8e0b09b4df7c016d25860217f27a77f5ce97f903b37dcee0705786ead9fa43d97c1ed60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c8d29bbf6b0adb85e0e239a70013771b

SHA1
ce7329280b9f5cf21d98bd096084e2f41b31e4d5

SHA256
4698c29b5de46e168a2e674b683907bed693949539786bf70c9e816c75d089d3

SHA512
bf22810caaa4aeb61a89146ac8f3b7af9c3112dc49ec02f590c9db6cb32dff971706cdcb007ce0a10e8801106a5d8039fdaa03f6c3b2cc2f57d85c57266349d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
74dd98cbcbc80db3e6df7da04116ce17

SHA1
2b3e4e6991305ff7da069f35ecb87a1b4dd9c58c

SHA256
eacbef3df4b078564dbcb91a711aac0edf20c05cd23fc448b317ab9f280f0f71

SHA512
65a0ec1ec32d8fdeecc752891b0659875edae6ef8fbac3dfec7de35874444ea02262eed5c4e047837201a4d89e67b89725cffbe1d5598bcb21ce6ad68f86fe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\irmeko.exe

Filesize
461KB

MD5
7d97bc84326b0cff19137f3ed443fa4c

SHA1
868f8226a0bd5a5feda3fa2f7daad816e42fc87a

SHA256
9a0234f1d39774b9ce5306bb92efd112936a2c0fab9205ca1a5c1ad8dc37a52c

SHA512
57960df160826defe1e3ff4cd14185fa82028fc9fde70d6455a1d1c73eb98110fbf12c38dfac00342f0ef1cc38e6c5bb5c9327b92f6b8a3f5e04638ebc51bd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\poopn.exe

Filesize
461KB

MD5
24dd17e3bf5d3798fa545f28a72fbd55

SHA1
a728e184495f95e09690a47b1be314ab8e0ea7f8

SHA256
f2a62d0c87aa03d5598457cf2ac4db89784dc25e85bb56e3a4ecc2456bf19daa

SHA512
a1f040e59879adf3128ff0700a0d4678e42f4f9b08321b8567250a21fc1fa984fa6d41ffd27b0d5fcdc756fbe2712f3490ad600ad34cdc12e3e0220f4c6733c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\puwop.exe

Filesize
223KB

MD5
d6c925af66c304fe48f14efe51e7f5aa

SHA1
8987a7596d27802e162e4ac1655316ca92ad4114

SHA256
df83d05968ad383215dae3dc6cf97db706a88a8a4901f53eb7c86fddd9a7cb00

SHA512
f7d8e9feb4a5b8dfcf61e7a33521a4a70f6b05d6319af57fb63785f6154613b2f9d7dfe0ee7ee263ddfcb30824307b2936ea69505a88aea77b2eae6e57d87020

Download Submit
memory/2756-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4244-37-0x0000000000440000-0x00000000004E0000-memory.dmp

Filesize
640KB

Download
memory/4244-41-0x0000000000440000-0x00000000004E0000-memory.dmp

Filesize
640KB

Download
memory/4244-42-0x0000000000440000-0x00000000004E0000-memory.dmp

Filesize
640KB

Download
memory/4244-43-0x0000000000440000-0x00000000004E0000-memory.dmp

Filesize
640KB

Download
memory/4244-44-0x0000000000440000-0x00000000004E0000-memory.dmp

Filesize
640KB

Download
memory/4244-45-0x0000000000440000-0x00000000004E0000-memory.dmp

Filesize
640KB

Download
memory/4672-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4672-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4724-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4724-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download